Great post Mandrake, only thing I would mention is that applications that are patient facing (meaning it is a patient that is using the app in their browser or mobile device) should use the Authorization Grant flow and not the client credentials grant. If you are needing offline_access you must request the offline_access scope in your app registration as well as in your authorization request.
Client Credentials grant is intended to be used for backend server to server communication. While you can register a mobile device or even a browser with a JWKS right now in OpenEMR, at some point we plan to restrict the JWKS registration to the URL option only in order to improve the security and ‘authenticity’ element of the credentials grant. The OpenEMR server will request the JWKS from the backend and so the URL must be publicly accessible on the internet secured via SSL/TLS.
Overall though great explanation and walkthrough @mandrake, thanks for putting this together.